Never set session cookies for API requests

Implement a custom session interface that never sets session cookies on API requests Fixes freedomofpress#3876
rjmackay · Nov 24, 2018 · 639ce21 · 639ce21
1 parent 1b5ea7d
commit 639ce21
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/securedrop/journalist_app/__init__.py b/securedrop/journalist_app/__init__.py
@@ -19,6 +19,7 @@
 from journalist_app.utils import get_source, logged_in
 from models import Journalist
 from store import Storage
+from session_that_ignores_api import SessionThatIgnoresAPI
 
 import typing
 # https://www.python.org/dev/peps/pep-0484/#runtime-or-type-checking
@@ -40,6 +41,7 @@ def create_app(config):
 
     app.config.from_object(config.JournalistInterfaceFlaskConfig)
     app.sdconfig = config
+    app.session_interface = SessionThatIgnoresAPI()
 
     csrf = CSRFProtect(app)
     Environment(app)

diff --git a/securedrop/session_that_ignores_api.py b/securedrop/session_that_ignores_api.py
@@ -0,0 +1,17 @@
+from flask import sessions, request
+
+class SessionThatIgnoresAPI(sessions.SecureCookieSessionInterface):
+    def should_set_cookie(self, app, session):
+        """Used by session backends to determine if a ``Set-Cookie`` header
+        should be set for this session cookie for this response.
+
+        Extended in this class to skip setting the session cookie
+        for all API requests
+        """
+
+        if request.path.split('/')[1] == 'api':
+            # Session cookies are not relevant to API requests so always return False
+            return False
+        else:
+            # All other cases revert to standard behaviour
+            return super(sessions.SecureCookieSessionInterface, self).should_set_cookie(app, session)